Privacy Policy

1. Who we are

Data controller: Goldseam AI Consulting Ltd, registered in England & Wales, company number 16896682.

For privacy enquiries contact us at privacy@runassay.app.

2. What data we collect

We collect two categories of personal data:

• Account data - your name and email address. Authentication is handled entirely by Clerk; Assay does not store your password or any other authentication credentials.
• Contact data - information about third parties (your contacts) that you import or enter into Assay, including names, email addresses, job titles, companies, notes, relationship grades, and outreach history. You are the data controller for this data; we act as your data processor. See our Data Processing Agreement for details.
• Usage data - log data, error reports (via Sentry), and cookieless usage analytics (via Plausible) about how you use the service, collected to improve the product and diagnose issues.

3. Why we collect it and how we use it

We use your data solely to provide and improve the Assay service. Specifically:

• Account data (name, email address) - used to authenticate you, manage your subscription, and communicate service updates. Lawful basis: contract performance (Article 6(1)(b)) - processing is necessary to provide the service you have subscribed to.
• Contact data displayed in the app (contacts, grades, outreach history) - used to provide the core relationship-management features of the service. Lawful basis: contract performance (Article 6(1)(b)) - necessary to deliver the features you have paid for.
• Contact data sent to the Anthropic API - contact names, job titles, and any notes you have written about a contact may be included in prompts sent to Anthropic to generate outreach drafts on your behalf. This is explicit. Lawful basis: contract performance (Article 6(1)(b)) - generating personalised drafts is the core feature of the service.
• Contact data sent to enrichment providers (Exa, Tavily) - contact names and company names are sent to enrichment APIs to supplement your contact records with publicly available professional information. Lawful basis: legitimate interests (Article 6(1)(f)) - our legitimate interest in providing a richer contact management experience, and your interest as a subscriber in having up-to-date professional data about your network.
• Usage and analytics data - error reports (via Sentry) and cookieless usage analytics (via Plausible) used to diagnose issues and improve the product. Plausible does not use cookies, does not collect IP addresses, and does not track individuals across sessions or sites. Lawful basis: legitimate interests (Article 6(1)(f)) - our legitimate interest in understanding service usage and improving the product. You can object to this processing at any time (see Section 6).
• Billing records retained after account closure - invoices and payment records kept after you close your account. Lawful basis: legal obligation (Article 6(1)(c)) - UK tax law requires us to retain financial records for 7 years.

We do not sell your data or use it to profile you for advertising.

4. Third-party services that receive your data

We share data with the following sub-processors in order to operate the service:

• Clerk (auth.clerk.com) - authentication and user management. Receives your name and email address. Clerk is certified under the EU-US Data Privacy Framework.
• Neon (neon.tech) - managed Postgres database. Stores all account and contact data. Data is stored in the EU (AWS eu-west-1 or equivalent). Connections are encrypted in transit and at rest.
• Anthropic API (anthropic.com) - AI message generation. Contact names, notes, and any context you provide are sent to Anthropic's API to generate outreach drafts. Anthropic's API data handling policy applies. Anthropic does not use API submissions to train its models by default.
• Trigger.dev - background job orchestration. Payloads may include contact identifiers for task routing. Data is not persisted beyond job execution. Infrastructure is hosted in the EU (AWS eu-central-1).
• Exa (exa.ai) and Tavily (tavily.com) - contact enrichment. Contact names and company names are sent to these APIs to retrieve publicly available professional information. Data is used only for enrichment and is not retained by these providers beyond the API response.
• Netlify - serverless function hosting. API requests are processed on Netlify's infrastructure, hosted in the UK (AWS eu-west-2, London).
• Sentry (sentry.io) - error monitoring and crash reporting. Sentry receives error stack traces and diagnostic context (e.g. page URL, browser version) when the application encounters an error. Personal data in error payloads is scrubbed where possible; Sentry data is stored in the EU.
• Plausible Analytics (plausible.io) - cookieless usage analytics. Receives aggregate, anonymous data about page views and feature usage. Plausible does not use cookies, does not store IP addresses, and does not track individuals. No personal data is transferred. Infrastructure is hosted in the EU (Germany).

We require all sub-processors to implement appropriate security measures and to process data only as instructed.

5. Data retention

We retain your data for as long as your account is active. Specifically:

• Account data is retained until you delete your account.
• Contact data, grades, and outreach history are retained until you delete the contact or close your account.
• Contacts marked for removal (where you select "Remove" in the grading flow) have their record soft-deleted. You can request hard deletion at any time.
• Backup data is retained for up to 30 days after deletion.

On account closure, all personal data is deleted within 30 days, except where we are required to retain records by law (e.g. billing records for up to 7 years under UK tax law).

6. Your rights under UK GDPR

As a UK data subject you have the following rights. To exercise any of them, email privacy@runassay.app.

• Right of access - you can request a copy of all personal data we hold about you.
• Right to rectification - you can ask us to correct inaccurate data.
• Right to erasure - you can ask us to delete your account and all associated data.
• Right to data portability - you can request an export of your contact data in a machine-readable format (CSV or JSON).
• Right to restrict processing - you can ask us to stop processing your data in certain circumstances.
• Right to object - you can object to processing based on legitimate interests.

We will respond to all requests within one calendar month. In complex cases we may extend this by a further two months, in which case we will notify you within the first month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

Assay uses only essential cookies required for authentication (set by Clerk). We do not use tracking, advertising, or analytics cookies. You cannot opt out of essential cookies without losing access to the service, as they are necessary for login sessions.

8. Security

We use industry-standard security practices: encrypted connections (TLS), encrypted storage, access controls, and regular security reviews. No system is 100% secure; if you believe your data has been compromised, contact us immediately at privacy@runassay.app.

9. Changes to this policy

We may update this policy as the service evolves. Material changes will be communicated by email or in-app notice with at least 14 days' notice before the effective date. If you do not agree to the updated policy, you may close your account before the effective date. If you continue to use the service after the effective date, you will be taken to have accepted the updated policy.

10. Data Protection Officer

Goldseam AI Consulting Ltd has assessed its processing activities against the criteria set out in UK GDPR Article 37 and has determined that it is not required to appoint a Data Protection Officer at this time. Privacy enquiries should be directed to privacy@runassay.app.